|
|
|
|
@ -490,7 +490,8 @@ Have fun!
|
|
|
|
|
session file.</para>
|
|
|
|
|
|
|
|
|
|
<para>Please note that LAM does not ship with a selinux policy. Please
|
|
|
|
|
disable selinux or create your own policy.</para>
|
|
|
|
|
disable selinux or <link linkend="selinux">create your own
|
|
|
|
|
policy</link>.</para>
|
|
|
|
|
|
|
|
|
|
<para>See <link linkend="a_schema">LDAP schema fles</link> for
|
|
|
|
|
information about used LDAP schema files.</para>
|
|
|
|
|
@ -10444,6 +10445,82 @@ OK (10 msec)</programlisting>
|
|
|
|
|
</section>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section id="selinux">
|
|
|
|
|
<title>Selinux</title>
|
|
|
|
|
|
|
|
|
|
<para>In case your server has selinux installed you might need to extend
|
|
|
|
|
the selinux ruleset. E.g. your webserver might not be allowed to write
|
|
|
|
|
in /var/lib.</para>
|
|
|
|
|
|
|
|
|
|
<para><emphasis role="bold">Read selinux status</emphasis></para>
|
|
|
|
|
|
|
|
|
|
<para>The following command will tell you if selinux is running in
|
|
|
|
|
Enforcing or Permissive mode.</para>
|
|
|
|
|
|
|
|
|
|
<para>Enforcing: access that does not match rules is denied</para>
|
|
|
|
|
|
|
|
|
|
<para>Permissive: access that does not match rules is granted but logged
|
|
|
|
|
to audit.log</para>
|
|
|
|
|
|
|
|
|
|
<programlisting>getenforce</programlisting>
|
|
|
|
|
|
|
|
|
|
<para><emphasis role="bold">Set selinux to Permissive
|
|
|
|
|
mode</emphasis></para>
|
|
|
|
|
|
|
|
|
|
<para>This will just log any access violations. You will need this to
|
|
|
|
|
get a list of missing rights.</para>
|
|
|
|
|
|
|
|
|
|
<programlisting>setenforce Permissive</programlisting>
|
|
|
|
|
|
|
|
|
|
<para>Now do any actions inside LAM that you need for your daily work
|
|
|
|
|
(e.g. edit server profiles, manage LDAP entries, ...).</para>
|
|
|
|
|
|
|
|
|
|
<para><emphasis role="bold">Extend selinux rules</emphasis></para>
|
|
|
|
|
|
|
|
|
|
<para>Selinux now has logged any violations to audit.log. You can use
|
|
|
|
|
this now to extend your ruleset and enable enforcing later.</para>
|
|
|
|
|
|
|
|
|
|
<para>The following example is for httpd. You can also adapt it to e.g.
|
|
|
|
|
nginx.</para>
|
|
|
|
|
|
|
|
|
|
<programlisting># build additional selinux rules from audit.log
|
|
|
|
|
grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
<para>The httpdlocal.te might look like this:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting>module httpdlocal 1.0;
|
|
|
|
|
|
|
|
|
|
require {
|
|
|
|
|
type httpd_t;
|
|
|
|
|
type var_lib_t;
|
|
|
|
|
class file { setattr write };
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#============= httpd_t ==============
|
|
|
|
|
|
|
|
|
|
#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t.
|
|
|
|
|
#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
|
|
|
|
|
#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
|
|
|
|
|
allow httpd_t var_lib_t:file { setattr write };
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
<para>Now we can compile and install this rule:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting># build module
|
|
|
|
|
checkmodule -M -m -o httpdlocal.mod httpdlocal.te
|
|
|
|
|
# package module
|
|
|
|
|
semodule_package -o httpdlocal.pp -m httpdlocal.mod
|
|
|
|
|
# install module
|
|
|
|
|
semodule -i httpdlocal.pp</programlisting>
|
|
|
|
|
|
|
|
|
|
<para>Now you can switch back to Enforcing mode:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting>setenforce Enforcing</programlisting>
|
|
|
|
|
|
|
|
|
|
<para>LAM should now work as expected with active selinux.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>Chrooted servers</title>
|
|
|
|
|
|
|
|
|
|
|
Roland Gruber
7 years ago